Fail2ban - error message

[fred974]

Hi guys,

I just installed fail2ban as follows:

cd /usr/ports/security/py-fail2ban/ && make install clean
echo 'fail2ban_enable="YES"' >> /etc/rc.conf
cp /usr/local/etc/fail2ban/jail.conf /usr/local/etc/fail2ban/jail.local

I then added the following to the new jail.local

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 6000
findtime = 6000
backend = auto
action = pf
[nginx-filenotfound]
enabled = true
port = http,https
filter = nginx-filenotfound
logpath = /usr/jails/nginxjail/usr/local/www/docs/*/logs/error.log
maxretry = 10
[nginx-authfail]
enable = true
port = http,https
filter = nginx-authfail
logpath = /usr/local/www/webs/example.com/logs/error80.log
maxretry = 10

created /usr/local/etc/fail2ban/filter.d/nginx-filenotfound.conf

[Definition]
# search for specified file extensions
#failregex .*\[error\].open\(\) "\S*(\.php|\.asp|\.html|\.js)\S*" failed.*client: ,.*
# if there is any error because a dir or file was not found
failregex = .*\[error\].*failed.*No such file or directory.*client: ,.*
ignoreregex =

created /usr/local/etc/fail2ban/filter.d/nginx-authfail.conf

[Definition]
failregex = .*\[error\].*no user/password was provided for basic authentication.*client: ,.*
.*\[error\].*user .* was not found in.*client: ,.*
.*\[error\].*user .* password mismatch.*client: ,.*
ignoreregex =

and lastly I changed /usr/local/etc/fail2ban/action.d/pf.conf

...
actionban = pfctl -t fail2ban -T add
actionunban = pfctl -t fail2ban -T delete
...

When I start fail2ban /usr/local/etc/rc.d/fail2ban start I get the following in the fail2ban.log file

2013-10-16 22:02:35,203 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.10
2013-10-16 22:02:35,224 fail2ban.jail   : INFO   Creating new jail 'nginx-filenotfound'
2013-10-16 22:02:35,226 fail2ban.jail   : INFO   Jail 'nginx-filenotfound' uses poller
2013-10-16 22:02:35,406 fail2ban.jail   : INFO   Initiated 'polling' backend
2013-10-16 22:02:35,431 fail2ban.filter : INFO   Added logfile = /usr/local/www/webs/example.com/logs/error80.log
2013-10-16 22:02:35,433 fail2ban.filter : INFO   Set maxRetry = 10
2013-10-16 22:02:35,437 fail2ban.filter : INFO   Set findtime = 6000
2013-10-16 22:02:35,439 fail2ban.actions: INFO   Set banTime = 6000
2013-10-16 22:02:35,443 fail2ban.filter : ERROR  No 'host' group in '.*\[error\].*failed.*No such file or directory.*client: ,.*'
2013-10-16 22:02:35,443 fail2ban.comm   : WARNING Command ['set', 'nginx-filenotfound', 'addfailregex', '.*\\[error\\].*failed.*No such file or directory.*client: ,.*'] has failed. Received RegexException("No 'host' group in '.*\\[error\\].*failed.*No such file or directory.*client: ,.*'",)

Can anyone help me understand where I went wrong please?

Thank you.

Fred

 

[quintessence]

Hi,

Where did you get these strange configs? Your don't have <HOST> in the regexes.

Replace regex in your nginx-filenotfound.conf with for example:

.* is not found in .*, client: <HOST>

which will perfectly match entries from Nginx's error log like (some bots trying to search phpmyadmin on my test site):

2013/10/18 03:09:26 [error] 19884#0: *61568 "[hidden]/sometfile" is not found (2: No such file or directory), client: 193.253.204.80, server: [hidden], request: "GET /phpMyAdmin-2.5.5/ HTTP/1.1", host: "[hidden]"

or you can match by "No such file or directory", it will be the same.

Your nginx-authfail.conf also misses <HOST> entry in the regex.

Also do not touch pf.conf from action.d. You removed the <ip> entry, and Fail2ban will not able to apply correctly the actions, because it won't know which IP address to block or unblock, it is like you try to insert/remove nothing to/from the PF's table. Ban and unban actions should be untouched, unless you are not using another table name, instead of default (then you should change the tablename from the file on the last row). Replace this file with defaults one.

 

[fred974]

Hi @quintessence,

Do you mean replace

failregex = .*\[error\].*failed.*No such file or directory.*client: ,.*

with

failregex = .* is not found in .*, client: <HOST>

 

[quintessence]

Hi, yes.